Learn more about these different git repos.
Other Git URLs
========= Configs ===== CentOS 7.4.1708 (Core) SSSD: 1.15.2-50 python-sssdconfig-1.15.2-50.el7_4.8.noarch libsss_autofs-1.15.2-50.el7_4.8.x86_64 sssd-ipa-1.15.2-50.el7_4.8.x86_64 sssd-dbus-1.15.2-50.el7_4.8.x86_64 sssd-1.15.2-50.el7_4.8.x86_64 libsss_certmap-1.15.2-50.el7_4.6.x86_64 libsss_idmap-1.15.2-50.el7_4.8.x86_64 sssd-client-1.15.2-50.el7_4.8.x86_64 sssd-common-1.15.2-50.el7_4.8.x86_64 sssd-common-pac-1.15.2-50.el7_4.8.x86_64 sssd-ad-1.15.2-50.el7_4.8.x86_64 sssd-krb5-1.15.2-50.el7_4.8.x86_64 libsss_simpleifp-1.15.2-50.el7_4.8.x86_64 sssd-proxy-1.15.2-50.el7_4.8.x86_64 sssd-tools-1.15.2-50.el7_4.8.x86_64 libsss_nss_idmap-1.15.2-50.el7_4.6.x86_64 libsss_sudo-1.15.2-50.el7_4.8.x86_64 sssd-krb5-common-1.15.2-50.el7_4.8.x86_64 sssd-ldap-1.15.2-50.el7_4.8.x86_64 python-sss-1.15.2-50.el7_4.8.x86_64
== Active directory 2016 Domain : subdomain.domain.org 2 domain controllers DC0001 DC0002 Both DC are acting as DNS, NTP, DC, Global Catalog
Posix attributes have been added into the Global Catalog
The Linux host has been joined in the AD using "realm join"
===
==== Issue ==== When a server is multi-homed, SSSD is unabled to discover the Global Catalog (GC are discovered on server having only one NIC) Issue persists after one of the Network Interface is removed
While I do not see obvious error in the Debug log, there seems to be some noticeable behavior in the logs (see extract here under)
[sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.DataProvider.Failover.ListServices on path /org/freedesktop/sssd/dataprovider [sssd[be[SUBDOMAIN.DOMAIN.ORG]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
TCPDUMP indicate that the SSSD client did query the DNS for the AD records (SRV), and that the answers did flag the Global Catalog properly
To reproduce Setup an AD 2016, with two DC Add (using Schema Manager) the POSIX attibutes in the GC Configure the AD default site to list all the subnets involved
Install Centos Install Kerberos + SSSD + realm & depencies (from Centos Repos)
Join the domain using realm join
-- Configure krb5.conf & sssd.conf accordingly
# sssctl domain-status SUBDOMAIN.DOMAIN.ORG Online status: Online Active servers: AD Global Catalog: DC0001.subdomain.domain.org AD Domain Controller: DC0001.subdomain.domain.org Discovered AD Global Catalog servers: - DC0001.subdomain.domain.org - DC0002.subdomain.domain.orga Discovered AD Domain Controller servers: - DC0001.subdomain.domain.org - DC0002.subdomain.domain.org ========
Add a second interface setup the interface with a valid IP
Re-run sssctl # sssctl domain-status SUBDOMAIN.DOMAIN.ORG Online status: Online
Active servers: AD Global Catalog: not connected AD Domain Controller: DC0001.subdomain.domain.org Discovered AD Global Catalog servers: None so far. Discovered AD Domain Controller servers: - DC0001.subdomain.domain.org - DC0002.subdomain.domain.org
========
Remove the interface, Reboot sssctl domain status will return the same result
==== Last update === A second server that never had a second interface shows the same symptoms after SSSD has been restarted. No changes I'm aware of.
Note: the log supplied have been anynomized, I have been careful to do a constitent substition inluding the case.a <img alt="Bug_sssd.zip" src="/SSSD/sssd/issue/raw/f641809b8bec22116bf4e8cc8ab9ed51b120dc516724e034e1d15adeede5ee9c-Bug_sssd.zip" />
Hi, sorry for late reply. We did not have much people around during Christmas. This is not a bug, rather an expected behavior, as far as the provided logs can tell.
SSSD is performing DNS discovery for for both domain controllers and global catalog server on demand. Therefore sssctl will show no servers for either category if such servers were not required so far.
I see successful attempts to disover "AD" service which translates to domain controllers, but none attempt to resolve "AD_GC" service, which means global catalog. If you first give any query that will use global catalog, it should tell you the servers. For example:
id some-user sssctl domain-status domain
No further comments for one months, therefore I assume the issue is no longer valid and can be closed.
Metadata Update from @jhrozek: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4623
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.